Enable AWS IoT Device Defender Audit in the console; select the audit checks to run (e.g., CA certificate expiry, device certificate age, IoT policies that are overly permissive, unauthenticated Cognito role).
Schedule the audit to run daily or on-demand; review audit findings in the console or via the ListAuditFindings API, filtering by severity and check name.
Enable Device Defender Detect and create a Security Profile with behaviours defining expected device metrics (e.g., maximum outbound bytes per minute, maximum listening TCP ports).
Attach the Security Profile to a thing group; the Detect service evaluates reported metrics against defined thresholds and raises violations when devices deviate.
On the device, use the Device Defender SDK to collect and publish metrics to the reserved topic $aws/things/THING_NAME/defender/metrics/json on a regular schedule.
Configure SNS or EventBridge targets on violation alerts so that operations teams are notified when a device exhibits anomalous behaviour.
Known gotchas
Device Defender Detect operates on metrics published by the device; if the device firmware does not include the metrics collection agent, cloud-side ML anomaly detection is not possible.
Audit findings are snapshots; they reflect the state at the time the audit ran and do not update retroactively if you remediate a finding between scheduled runs.
Policies flagged as overly permissive by the audit tool do not automatically get restricted; remediation requires manually scoping down the policy and re-deploying it to affected devices.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp